Description: Foreword xix Introduction xxi Domain 1: Security and Risk Management 1 Understand, Adhere to, and Promote Professional Ethics 2 (ISC)² Code of Professional Ethics 2 Organizational Code of Ethics 3 Understand and Apply Security Concepts 4 Confidentiality 4 Integrity 5 Availability 6 Limitations of the CIA Triad 7 Evaluate and Apply Security Governance Principles 8 Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9 Organizational Processes 10 Organizational Roles and Responsibilities 14 Security Control Frameworks 15 Due Care and Due Diligence 22 Determine Compliance and Other Requirements 23 Legislative and Regulatory Requirements 23 Industry Standards and Other Compliance Requirements 25 Privacy Requirements 27 Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28 Cybercrimes and Data Breaches 28 Licensing and Intellectual Property Requirements 36 Import/Export Controls 39 Transborder Data Flow 40 Privacy 41 Understand Requirements for Investigation Types 48 Administrative 49 Criminal 50 Civil 52 Regulatory 53 Industry Standards 54 Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55 Policies 55 Standards 56 Procedures 57 Guidelines 57 Identify, Analyze, and Prioritize Business Continuity Requirements 58 Business Impact Analysis 59 Develop and Document the Scope and the Plan 61 Contribute to and Enforce Personnel Security Policies and Procedures 63 Candidate Screening and Hiring 63 Employment Agreements and Policies 64 Onboarding, Transfers, and Termination Processes 65 Vendor, Consultant, and Contractor Agreements and Controls 67 Compliance Policy Requirements 67 Privacy Policy Requirements 68 Understand and Apply Risk Management Concepts 68 Identify Threats and Vulnerabilities 68 Risk Assessment 70 Risk Response/Treatment 72 Countermeasure Selection and Implementation 73 Applicable Types of Controls 75 Control Assessments 76 Monitoring and Measurement 77 Reporting 77 Continuous Improvement 78 Risk Frameworks 78 Understand and Apply Threat Modeling Concepts and Methodologies 83 Threat Modeling Concepts 84 Threat Modeling Methodologies 85 Apply Supply Chain Risk Management Concepts 88 Risks Associated with Hardware, Software, and Services 88 Third-Party Assessment and Monitoring 89 Minimum Security Requirements 90 Service-Level Requirements 90 Frameworks 91 Establish and Maintain a Security Awareness, Education, and Training Program 92 Methods and Techniques to Present Awareness and Training 93 Periodic Content Reviews 94 Program Effectiveness Evaluation 94 Summary 95 Domain 2: Asset Security 97 Identify and Classify Information and Assets 97 Data Classification and Data Categorization 99 Asset Classification 101 Establish Information and Asset Handling Requirements 104 Marking and Labeling 104 Handling 105 Storage 105 Declassification 106 Provision Resources Securely 108 Information and Asset Ownership 108 Asset Inventory 109 Asset Management 112 Manage Data Lifecycle 115 Data Roles 116 Data Collection 120 Data Location 120 Data Maintenance 121 Data Retention 122 Data Destruction 123 Data Remanence 123 Ensure Appropriate Asset Retention 127 Determining Appropriate Records Retention 129 Records Retention Best Practices 130 Determine Data Security Controls and Compliance Requirements 131 Data States 133 Scoping and Tailoring 135 Standards Selection 137 Data Protection Methods 141 Summary 144 Domain 3: Security Architecture and Engineering 147 Research, Implement, and Manage Engineering Processes Using Secure Design Principles 149 ISO/IEC 19249 150 Threat Modeling 157 Secure Defaults 160 Fail Securely 161 Separation of Duties 161 Keep It Simple 162 Trust, but Verify 162 Zero Trust 163 Privacy by Design 165 Shared Responsibility 166 Defense in Depth 167 Understand the Fundamental Concepts of Security Models 168 Primer on Common Model Components 168 Information Flow Model 169 Noninterference Model 169 Bell-LaPadula Model 170 Biba Integrity Model 172 Clark-Wilson Model 173 Brewer-Nash Model 173 Take-Grant Model 175 Select Controls Based Upon Systems Security Requirements 175 Understand Security Capabilities of Information Systems 179 Memory Protection 180 Secure Cryptoprocessor 182 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187 Client-Based Systems 187 Server-Based Systems 189 Database Systems 191 Cryptographic Systems 194 Industrial Control Systems 200 Cloud-Based Systems 203 Distributed Systems 207 Internet of Things 208 Microservices 212 Containerization 214 Serverless 215 Embedded Systems 216 High-Performance Computing Systems 219 Edge Computing Systems 220 Virtualized Systems 221 Select and Determine Cryptographic Solutions 224 Cryptography Basics 225 Cryptographic Lifecycle 226 Cryptographic Methods 229 Public Key Infrastructure 243 Key Management Practices 246 Digital Signatures and Digital Certificates 250 Nonrepudiation 252 Integrity 253 Understand Methods of Cryptanalytic Attacks 257 Brute Force 258 Ciphertext Only 260 Known Plaintext 260 Chosen Plaintext Attack 260 Frequency Analysis 261 Chosen Ciphertext 261 Implementation Attacks 261 Side-Channel Attacks 261 Fault Injection 263 Timing Attacks 263 Man-in-the-Middle 263 Pass the Hash 263 Kerberos Exploitation 264 Ransomware 264 Apply Security Principles to Site and Facility Design 265 Design Site and Facility Security Controls 265 Wiring Closets/Intermediate Distribution Facilities 266 Server Rooms/Data Centers 267 Media Storage Facilities 268 Evidence Storage 269 Restricted and Work Area Security 270 Utilities and Heating, Ventilation, and Air Conditioning 272 Environmental Issues 275 Fire Prevention, Detection, and Suppression 277 Summary 281 Domain 4: Communication and Network Security 283 Assess and Implement Secure Design Principles in Network Architectures 283 Open System Interconnection and Transmission Control Protocol/Internet Protocol Models 285 The OSI Reference Model 286 The TCP/IP Reference Model 299 Internet Protocol Networking 302 Secure Protocols 311 Implications of Multilayer Protocols 313 Converged Protocols 315 Microsegmentation 316 Wireless Networks 319 Cellular Networks 333 Content Distribution Networks 334 Secure Network Components 335 Operation of Hardware 335 Repeaters, Concentrators, and Amplifiers 341 Hubs 341 Bridges 342 Switches 342 Routers 343 Gateways 343 Proxies 343 Transmission Media 345 Network Access Control 352 Endpoint Security 354 Mobile Devices 355 Implement Secure Communication Channels According to Design 357 Voice 357 Multimedia Collaboration 359 Remote Access 365 Data Communications 371 Virtualized Networks 373 Third-Party Connectivity 374 Summary 374 Domain 5: Identity and Access Management 377 Control Physical and Logical Access to Assets 378 Access Control Definitions 378 Information 379 Systems 380 Devices 381 Facilities 383 Applications 386 Manage Identification and Authentication of People, Devices, and Services 387 Identity Management Implementation 388 Single/Multifactor Authentication 389 Accountability 396 Session Management 396 Registration, Proofing, and Establishment of Identity 397 Federated Identity Management 399 Credential Management Systems 399 Single Sign-On 400 Just-In-Time 401 Federated Identity with a Third-Party Service 401 On Premises 402 Cloud 403 Hybrid 403 Implement and Manage Authorization Mechanisms 404 Role-Based Access Control 405 Rule-Based Access Control 405 Mandatory Access Control 406 Discretionary Access Control 406 Attribute-Based Access Control 407 Risk-Based Access Control 408 Manage the Identity and Access Provisioning Lifecycle 408 Account Access Review 409 Account Usage Review 411 Provisioning and Deprovisioning 411 Role Definition 412 Privilege Escalation 413 Implement Authentication Systems 414 OpenID Connect/Open Authorization 414 Security Assertion Markup Language 415 Kerberos 416 Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus 417 Summary 418 Domain 6: Security Assessment and Testing 419 Design and Validate Assessment, Test, and Audit Strategies 420 Internal 421 External 422 Third-Party 423 Conduct Security Control Testing 423 Vulnerability Assessment 423 Penetration Testing 428 Log Reviews 435 Synthetic Transactions 435 Code Review and Testing 436 Misuse Case Testing 437 Test Coverage Analysis 438 Interface Testing 439 Breach Attack Simulations 440 Compliance Checks 441 Collect Security Process Data 442 Technical Controls and Processes 443 Administrative Controls 443 Account Management 444 Management Review and Approval 445 Management Reviews for Compliance 446 Key Performance and Risk Indicators 447 Backup Verification Data 450 Training and Awareness 450 Disaster Recovery and Business Continuity 451 Analyze Test Output and Generate Report 452 Typical Audit Report Contents 453 Remediation 454 Exception Handling 455 Ethical Disclosure 456 Conduct or Facilitate Security Audits 458 Designing an Audit Program 458 Internal Audits 459 External Audits 460 Third-Party Audits 460 Summary 461 Domain 7: Security Operations 463 Understand and Comply with Investigations 464 Evidence Collection and Handling 465 Reporting and Documentation 467 Investigative Techniques 469 Digital Forensics Tools, Tactics, and Procedures 470 Artifacts 475 Conduct Logging and Monitoring Activities 478 Intrusion Detection and Prevention 478 Security Information and Event Management 480 Continuous Monitoring 481 Egress Monitoring 483 Log Management 484 Threat Intelligence 486 User and Entity Behavior Analytics 488 Perform Configuration Management 489 Provisioning 490 Asset Inventory 492 Baselining 492 Automation 493 Apply Foundational Security Operations Concepts 494 Need-to-Know/Least Privilege 494 Separation of Duties and Responsibilities 495 Privileged Account Management 496 Job Rotation 498 Service-Level Agreements 498 Apply Resource Protection 499 Media Management 500 Media Protection Techniques 501 Conduct Incident Management 502 Incident Management Plan 503 Detection 505 Response 506 Mitigation 507 Reporting 508 Recovery 510 Remediation 510 Lessons Learned 511 Operate and Maintain Detective and Preventative Measures 511 Firewalls 512 Intrusion Detection Systems and Intrusion Prevention Systems 514 Whitelisting/Blacklisting 515 Third-Party-Provided Security Services 515 Sandboxing 517 Honeypots/Honeynets 517 Anti-malware 518 Machine Learning and Artificial Intelligence Based Tools 518 Implement and Support Patch and Vulnerability Management 519 Patch Management 519 Vulnerability Management 521 Understand and Participate in Change Management Processes 522 Implement Recovery Strategies 523 Backup Storage Strategies 524 Recovery Site Strategies 527 Multiple Processing Sites 527 System Resilience, High Availability, Quality of Service, and Fault Tolerance 528 Implement Disaster Recovery Processes 529 Response 529 Personnel 530 Communications 531 Assessment 532 Restoration 533 Training and Awareness 534 Lessons Learned 534 Test Disaster Recovery Plans 535 Read-through/Tabletop 536 Walkthrough 536 Simulation 537 Parallel 537 Full Interruption 537 Participate in Business Continuity Planning and Exercises 538 Implement and Manage Physical Security 539 Perimeter Security Controls 541 Internal Security Controls 543 Address Personnel Safety and Security Concerns 545 Travel 545 Security Training and Awareness 546 Emergency Management 546 Duress 547 Summary 548 Domain 8: Software Development Security 549 Understand and Integrate Security in the Software Development Life Cycle (SDLC) 550 Development Methodologies 551 Maturity Models 561 Operation and Maintenance 567 Change Management 568 Integrated Product Team 571 Identify and Apply Security Controls in Software Development Ecosystems 572 Programming Languages 572 Libraries 577 Toolsets 578 Integrated Development Environment 579 Runtime 580 Continuous Integration and Continuous Delivery 581 Security Orchestration, Automation, and Response 583 Software Configuration Management 585 Code Repositories 586 Application Security Testing 588 Assess the Effectiveness of Software Security 590 Auditing and Logging of Changes 590 Risk Analysis and Mitigation 595 Assess Security Impact of Acquired Software 599 Commercial Off-the-Shelf 599 Open Source 601 Third-Party 602 Managed Services (SaaS, IaaS, PaaS) 602 Define and Apply Secure Coding Guidelines and Standards 604 Security Weaknesses and Vulnerabilities at the Source-Code Level 605 Security of Application Programming Interfaces 613 API Security Best Practices 613 Secure Coding Practices 618 Software-Defined Security 621 Summary 624 Index 625
Price: 61.84 GBP
Location: Hillsdale, NSW
End Time: 2024-11-02T07:43:26.000Z
Shipping Cost: 65.01 GBP
Product Images
Item Specifics
Return postage will be paid by: Buyer
Returns Accepted: Returns Accepted
After receiving the item, your buyer should cancel the purchase within: 60 days
Return policy details:
EAN: 9781119789994
UPC: 9781119789994
ISBN: 9781119789994
MPN: N/A
Book Title: The Official (ISC)2 CISSP CBK Reference, 6th Editi
Item Length: 23.8 cm
Item Height: 90 mm
Item Width: 194 mm
Author: Aaron Kraus, Arthur J. Deane
Publication Name: The Official (Isc) 2 Cissp Cbk Reference
Format: Hardcover
Language: English
Publisher: John Wiley & Sons INC International Concepts
Subject: Computer Science
Publication Year: 2021
Type: Textbook
Item Weight: 1256 g
Number of Pages: 672 Pages